Topic: Ultralight C changing default 3DES key

Hi to all, i'm developing under Android (java) an application to use Ultralight C tags.
After studing libnfc, now i'm able to got authentication!!!
Now is important  know how change default 3DES key....
Do someone can explain to me how write a new KEY atfer the authentication?

Re: Ultralight C changing default 3DES key

Hello,

Ultralight C is implemented in libfreefare, so feel free to read the code smile

Romuald Conty

Re: Ultralight C changing default 3DES key

Hey Rconty i'm using libfreefare. The Change key option is only present for the Desfire tags, not Ultralight. Any help on this? Many thanks

Re: Ultralight C changing default 3DES key

Hi,

To change the key, just write it to memory in pages 0x2C-0x2F

Phil

Re: Ultralight C changing default 3DES key

Hey Phil, thank you for your reply. I'm using the following code snipped to write to a page:

MifareUltralightPageNumber n = 7;
MifareUltralightPage payload1  = { 0x63, 0x75, 0x65, 0x63};
res = mifare_ultralight_write (tag, n, payload1);

I'm not sure how I can translate pages 0x2C-0x2F into MifareUltralightPageNumber.

Also, how can I protect the pages from being written?

Many thanks

Re: Ultralight C changing default 3DES key

Hey Phil, sorry. I did some research and discovered that the pages 0x2C-0x2F represent the blocks/pages 44-47

Is that right? If that's the case, I can write a new password starting with this command?

mifare_ultralight_write (tag, 44, payloadForPage44);

Is there any command to protect a range of blocks from being written?

Many thanks once again

7 (edited by yobibe 2012-11-11 19:58:43)

Re: Ultralight C changing default 3DES key

0x2C-0x2F = 44-47 indeed

To write e.g. key "000102030405060708090A0B0C0D0E0F" it should be something like:

MifareUltralightPage payloadForPage44  = { 0x07, 0x06, 0x05, 0x04};
MifareUltralightPage payloadForPage45  = { 0x03, 0x02, 0x01, 0x00};
MifareUltralightPage payloadForPage46  = { 0x0F, 0x0E, 0x0D, 0x0C};
MifareUltralightPage payloadForPage47  = { 0x0B, 0x0A, 0x09, 0x08};
mifare_ultralight_write (tag, 44, payloadForPage44);
mifare_ultralight_write (tag, 45, payloadForPage45);
mifare_ultralight_write (tag, 46, payloadForPage46);
mifare_ultralight_write (tag, 47, payloadForPage47);

See http://www.libnfc.org/community/post/3870/#p3870 for access control bytes

Phil

Re: Ultralight C changing default 3DES key

Awesome! Thank you so much Phil!

Re: Ultralight C changing default 3DES key

Hey Phil I was able to successfully change the key! However, I'm not having much success when I try to authenticate with the new key. So I followed your example as follows:

MifareUltralightPage payloadForPage44  = "test";
   MifareUltralightPage payloadForPage45  = "test";
  MifareUltralightPage payloadForPage46  = "test";
  MifareUltralightPage payloadForPage47  = "test";

mifare_ultralight_write (tag, 44, payloadForPage44);
mifare_ultralight_write (tag, 45, payloadForPage45);
mifare_ultralight_write (tag, 46, payloadForPage46);
mifare_ultralight_write (tag, 47, payloadForPage47);

Then, I try to re-authenticate with the following code, but with no success:

  uint8_t key1_3des_data\[16\] = "testtesttesttest";
  key = mifare_desfire_3des_key_new (key1_3des_data);
  res = mifare_ultralightc_authenticate (tag, key);

I know this is not a C forum, so apologies if this issue is related to my lack of understanding of C syntax and data structures.

Thanks

10 (edited by yobibe 2012-11-13 23:39:34)

Re: Ultralight C changing default 3DES key

See in my example bytes are swapped so you've to use:
uint8_t key1_3des_data\[16\] = "tsettsettsettset";

Note that I just found a bug in libfreefare mifare_ultralight_read() triggered by recent bufferzise checks in libnfc.
This is fixed in r1105
I also added a test for default ULC key in examples/mifare-ultralight-info (in r1106)

To restore the default key:
MifareUltralightPage payloadForPage44  = "BREA";
MifareUltralightPage payloadForPage45  = "KMEI";
MifareUltralightPage payloadForPage46  = "FYOU";
MifareUltralightPage payloadForPage47  = "CAN!";

Phil

Re: Ultralight C changing default 3DES key

Hey Phil, thank you so much for the info. I tried to use the swapped bytes example you've sent me but had no success. So I decided to update libfreefare. I've updated the lib to the latest revision but now I'm getting "segmentation fault: 11" in my code and also in every example that I run. I tried to delete all the libfreefare references in /usr/local/lib and /usr/local/include, and reinstall the library, but I'm still getting the segmentation fault error. I'm running the latest stable release for MAC: libnfc-1.6.0-rc1.

Thanks

Isaac

Re: Ultralight C changing default 3DES key

This is the log that I get running
"gdb mifare-ultralight-info" after I compile and run the example "mifare-ultralight-info" provided in the latest revision:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000009
pn53x_initiator_transceive_bytes (pnd=0x7fff5fbfbeba, pbtTx=0x101901558 "?", szTx=2, pbtRx=0x7fff5fbfc227 "", pszRx=0x9, timeout=1606402288) at pn53x.c:1324
1324    pn53x.c: No such file or directory.
    in pn53x.c

Thank you once again
Isaac

Re: Ultralight C changing default 3DES key

This is because you're using libfreefare latest revision with libnfc latest release.
You've to use also libnfc latest revision, not libnfc-1.6.0-rc1.
API of transceive_bytes has been changed in May.

Phil

Re: Ultralight C changing default 3DES key

Hey Phil, I really appreciate all your help.

I know this is a separate issue unrelated to the original scope of the original topic of this thread (Ultralight C changing default 3DES key), so apologies for continuing this conversation in here.

I uninstalled libfreefare and libnfc and reinstalled both using the latest SVN revisions.

When I reinstalled libnfc, it was unable to open the NFC reader I'm using (ACR122 ) when I executed the bundled nfc-list, located in the utils directory of libnfc.  When looking for a solution fot this, I've came across the issue 208 (http://code.google.com/p/libnfc/issues/ … amp;id=208), which is related to the acr122_usb library, which is a new experimental driver that libnfc is using by default for Touchatag/ACR122U devices.

In order to troubleshoot the issue of my ACR122 reader not been found,  I followed the advise in the above mentioned ticket, and recompiled libnfc using  support for acr122_pcsc driver (./configure --with-drivers=acr122_pcsc && make clean all). After this, I was able to successfully get the nfc-list example running and properly recognizing the reader device:
NFC device:
ACS ACR122U PICC Interface 00 00 / ACR122U207 opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  44 
       UID (NFCID1): 04  a3  23  99  10  28  80 
      SAK (SEL_RES): 00

However, when I compile and run a libfreefare example (mifare-ultralight-info.c) that tries to open the reader, I get the same error message I was getting previously, when running the nfc-list example with the new ACR122 driver:
"nfc_open() failed."

Can this issue be related to the new ACR122 driver that libnfc is using by default?

Many thanks as always

Re: Ultralight C changing default 3DES key

Mmm it should work.
I usually use the acr122_usb (when I use such reader) but now I tried the acr122_pcsc again and it works too.
Note that if you try acr122_usb, stop pcscd daemon to avoid conflicts.

When you recompiled with acr122_pcsc and tried nfc-list, did you install properly the lib so that libfreefare is using that one and not the old one?

Phil

Re: Ultralight C changing default 3DES key

When I recompiled libnfc with acr122_pcsc, I made sure to delete the any reference to it in /usr/local/lib and /usr/local/include.  Is there a way to check if libfreefare is using the new one?

Thanks

Re: Ultralight C changing default 3DES key

you can use ldd to inspect which dynamic libraries will be used

Re: Ultralight C changing default 3DES key

Awesome.. Everything works fine. Thank you so much Phil for all your help and support! Much appreciated!

Re: Ultralight C changing default 3DES key

I'm glad you eventually managed to get everything working!

Re: Ultralight C changing default 3DES key

Hi! Do you know why even the default key in ultralight C is "425245414b4d454946594f5543414e21" (BREAKMEIFYOUCAN!) the key used for decrypting on is "49454D4B41455242214E4143554F5946"?  (I took this value from mifare-ultralight-info.c in libfreefare examples). I guess there's a relation between them , but I don't know what it is. If I change the 3des key on the card I cannot authenticate using it, but if I return the card to the default one it works again (using "49454D4B41455242214E4143554F5946" for decrypting) . Any help is appreciated.
Thanks
Gaston

21 (edited by yobibe 2012-12-14 16:00:31)

Re: Ultralight C changing default 3DES key

Please don't cross-post twice the same question.
You got your answer here: http://www.libnfc.org/community/post/3974/#p3974